lyric2249 opened a new pull request, #69773: URL: https://github.com/apache/airflow/pull/69773
`FabAuthRolePublicMiddleware` (added in #65685) sets `request.state.user` for anonymous requests when `AUTH_ROLE_PUBLIC` / `[fab] auth_role_public` is configured, but never sets `request.state.user_authenticated_via`. Core's `get_user()` dependency requires both attributes before it will trust a pre-set user and skip JWT validation, so anonymous requests still fall through to JWT validation and get rejected with 401 even though the public role is configured correctly. This sets the same trust marker `JWTRefreshMiddleware` already sets, so both middlewares satisfy the same contract that `get_user()` checks. The existing `test_sets_public_user_when_no_auth_present` test already exercises this exact code path, so it is extended with one assertion for the new attribute rather than adding a separate test; no existing assertions were changed or removed. related: #60897 --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Sonnet 5) Generated-by: Claude Code (Sonnet 5) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
